Insurer not liable for cyber policyholder's defense

In one of the first coverage rulings involving a cyber insurance policy, a federal court has ruled that a Travelers Cos. Inc. unit is not obligated to defend a policyholder.

Salt Lake City-based Federal Recovery Services Inc., which is in the business of providing processing, storage, transmission and other handling of electronic data for its customers, had a cyber insurance policy with Travelers Property Casualty Co. of America, according to Monday’s ruling by the U.S. District Court in Salt Lake City in Travelers Property Casualty Co. of America et al. v. Federal Recovery Services Inc. et al.

Travelers had issued a CyberFirst policy to the defendants that included a technology errors and omissions liability form stating coverage would be provided for an “errors and omissions wrongful act,” which “means any error, omission or negligent act,” says the ruling.

In October 2012, Lexington, Kentucky-based Global Fitness Holdings L.L.C., which owns and operates fitness centers in several states, entered into a servicing retail installment agreement with Federal Recovery that required Federal Recovery to process its member accounts and transfer members’ fees to Global Fitness. Global Fitness, in turn, entered into an asset purchase agreement with another fitness company under which it agreed to transfer all its member accounts data to that company.

But Federal Recovery allegedly refused to transfer some of the requested data until Global Fitness “satisfied several vague demands for significant compensation,” according to the ruling.

Global Fitness filed suit against Federal Recovery in March 2014 on charges including breach of contract. Federal Recovery then sought defense coverage from Travelers under its cyber policy.

Travelers provided a defense, but with a reservation of rights.

Travelers does not have a duty to defend Federal Recovery, says the District Court’s ruling. “While the policy covers errors, omissions and negligent acts, Global’s claims against Defendants allege far different justifications for the data to be withheld.

“Global does not allege that defendants withheld the data because of an error, omission or negligence.” Rather, it alleges the defendants “knowingly withheld this information and refused to turn it over until Global met certain demands,” the court said.

Joseph F. Bermudez, a partner with law firm Wilson, Elser, Moskowitz, Edelman & Dicker L.L.P. in Denver, who is not involved in the case, said the ruling is significant because “it’s one of the first decisions in regard to coverage under a cyber policy. We haven’t seen too many of these issues get to court.”

In its ruling, Mr. Bermudez said, the court “rightly decided” there was not an intentional act on Federal Recovery’s part.

“There has to be some type of fortuity involved” for there to be coverage under the cyber policy, Mr. Bermudez said.